diff options
author | Thomas Müller <thomas.mueller@tmit.eu> | 2016-02-19 09:13:00 +0100 |
---|---|---|
committer | Thomas Müller <thomas.mueller@tmit.eu> | 2016-02-19 09:13:00 +0100 |
commit | f6e61a296f67f71a1c6d5d5bf8d7e891cd708b43 (patch) | |
tree | bb3e285215d32089fdba1d8b55c5495e1507ea50 /core | |
parent | 99051cdbe54c6efa131498f699c1d29642885c74 (diff) | |
parent | 9b3c4e8dc453a674c0f1aee8c60e9d7f24b34e49 (diff) | |
download | nextcloud-server-f6e61a296f67f71a1c6d5d5bf8d7e891cd708b43.tar.gz nextcloud-server-f6e61a296f67f71a1c6d5d5bf8d7e891cd708b43.zip |
Merge pull request #22424 from owncloud/add-generic-csrf-protection-to-webdav
Require CSRF token for non WebDAV authenticated requests
Diffstat (limited to 'core')
-rw-r--r-- | core/js/files/client.js | 5 | ||||
-rw-r--r-- | core/js/oc-backbone-webdav.js | 3 |
2 files changed, 6 insertions, 2 deletions
diff --git a/core/js/files/client.js b/core/js/files/client.js index a7f393d325f..0bf5a69e19c 100644 --- a/core/js/files/client.js +++ b/core/js/files/client.js @@ -37,7 +37,10 @@ } url += options.host + this._root; - this._defaultHeaders = options.defaultHeaders || {'X-Requested-With': 'XMLHttpRequest'}; + this._defaultHeaders = options.defaultHeaders || { + 'X-Requested-With': 'XMLHttpRequest', + 'requesttoken': OC.requestToken + }; this._baseUrl = url; var clientOptions = { diff --git a/core/js/oc-backbone-webdav.js b/core/js/oc-backbone-webdav.js index ba678a32fcf..1c1b5c71d81 100644 --- a/core/js/oc-backbone-webdav.js +++ b/core/js/oc-backbone-webdav.js @@ -240,7 +240,8 @@ return options.url; }; var headers = _.extend({ - 'X-Requested-With': 'XMLHttpRequest' + 'X-Requested-With': 'XMLHttpRequest', + 'requesttoken': OC.requestToken }, options.headers); if (options.type === 'PROPFIND') { return callPropFind(client, options, model, headers); |